Openvpn – Tunneling a public IP to a remote machine

linux-networkingopenvpnstatic-iptunnelvpn

I have a Linux server A with a block of 5 public IP addresses, 8.8.8.122/29.
Currently, 8.8.8.122 is assigned to eth0, and 8.8.8.123 is assigned to eth0:1.

I have another Linux machine B in a remote location, behind NAT. I would like to set up an tunnel between the two so that B can use the IP address 8.8.8.123 as its primary IP address.

OpenVPN is probably the answer, but I can't quite figure out how to set things up (topology subnet or topology p2p might be appropriate. Or should I be using Ethernet bridging?). Security and encryption is not a big concern at this point, so GRE would be fine too — machine B will be coming from a known IP address and can be authenticated based on that.

How can I do this? Can anyone suggest an OpenVPN config, or some other approach, that could work in this situation? Ideally, it would also be able to handle multiple clients (e.g. share all four of spare IPs with other machines), without letting those clients use IPs to which they are not entitled.

Best Answer

I ended up going with the Ethernet bridging. Lots of extremely verbose examples to wade through online, but it turns out to be pretty easy:

First, on A, /etc/network/interfaces was changed from:

auto eth0
iface eth0 inet static
    address 8.8.8.122
    netmask 255.255.255.248
    gateway 8.8.8.121

to:

auto br0
iface br0 inet static
    address 8.8.8.122
    netmask 255.255.255.248
    gateway 8.8.8.121
    pre-up openvpn --mktun --dev tap0
    bridge_ports eth0 tap0
    bridge_fd 3

in order to bridge eth0 (the real WAN interface) with tap0 (a new tunnel interface) at boot.

Then, on A, run the openvpn server with:

openvpn --dev tap0

On B, connect to it with:

openvpn --remote 8.8.8.122 --dev tap0 --route-gateway 8.8.8.121 \
        --redirect-gateway def1 --ifconfig 8.8.8.123 255.255.255.248

That's the super simple config I was looking for, and it works -- B is now publicly accessible at 8.8.8.123, and outgoing connections originate from the same address.

Add security (--secret, --tls-server, etc) as needed, of course.

Related Solutions

Openvpn – Multiple OpenVPN clients on the same host

You would need to elaborate somewhat further what it is you are trying to do. A rough sketch with IP addresses of the hosts involved and a listing of your routing table(s) would help a lot understanding your problem.

my server doesn't seem to configure the tun0 device properly

It is possible for an ifconfig command to fail - maybe you should check the logs for that and post the relevant excerpts.

I want to set up the dual client box such that a computer whose gateway is set to eth0:0 gets all their traffic routed through one OpenVPN tunnel, and a computer whose gateway is set to eth0:1 gets all their traffic routed through a different OpenVPN tunnel

ip rule add from $IP_ETH00 table us_table

That's probably not the best way to achieve what you really want - which seems to be different routes for different clients. While it is possible to add iptables -t mangle rules to mark packets for different criteria, there would be no set of criteria being able to distinguish between eth0:0 and eth0:1 as the input interface (which is due to the way IP aliasing is implemented).

What you can do however is simply set up something like

ip rule add from <ip-of-your-client-for-the-us-table> table us_table

which would eliminate the need for IP aliases in your configuration entirely since the routing decision would be done based on source and destination IP addresses, no matter which interface the packet came in at.

copy_routing_table "us_table"

You've omitted the source of copy_routing_table - if it does what I suspect it does, you would end up with your entire main routing table in us_table. If your main routing table already contains routes potentially conflicting with what you're defining in the script, you might end up using them instead of your newly-added routes. This is especially a concern since you are adding a new default route in your up-script:

 ip route add default via $4 table us_table

As you already have a default route in your "main" table and add another one "via $4" (which is wrong BTW, as $4 would represent a local IP address of the router's own tun interface - you should use "dev $1" instead) without deleting the old route. You should prepend ip route del default table us_table here - and probably something similar for the other routes you add as well.

And this here:

From 192.168.1.133: icmp_seq=2 Redirect Host(New nexthop: 192.168.1.1)

is a message from 192.168.1.133 which is getting the packet for 98.137.149.56 (yahoo.com) and routing it out through 192.168.1.1. Since 192.168.1.133 knows (by evaluation of the interface netmask) that your host is in the same network as 192.168.1.1, you get notified to use 192.168.1.1 directly in the first place.

OpenVPN bridge: remote clients don’t see local

The most likely you forgot to enable forwarding. Add net.ipv4.ip_forward=1 to /etc/sysctl.conf, then sysctl -p or restart. Also try to add following to OpenVPN config:

server-bridge 172.20.200.2 255.255.255.0 172.20.200.100 172.20.200.200
push "route 172.20.200.0 255.255.255.0"

Note that adding interface to bridge, sets promisc flag appropriately. Bridge interface need not to be in promisc mode.

I got the same setup running, but on OpenSUSE, TAP interfaces are created during startup and OpenVPN just opens them - no start/stop script in OpenVPN.

Best Answer

Related Solutions

Openvpn – Multiple OpenVPN clients on the same host

OpenVPN bridge: remote clients don’t see local

Related Topic